NGINX SSL

November 19, 2019

server {
    listen       443 ssl http2;
    server_name  www.domain.com;

    ssl_dhparam  /path/to/dhparams.pem;

    ssl_certificate      /path/to/fullchain.cer;
    ssl_certificate_key  /path/to/domain.com.key;
    ssl_session_timeout  10m;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_tickets  off;

    ssl_protocols  TLSv1.2 TLSv1.3;
    ssl_ciphers    'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    ssl_stapling  on;
    ssl_stapling_verify  on;
    resolver  8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout  5s;

    ssl_trusted_certificate /path/to/trusted.pem;

    location / {
        proxy_pass http://localhost:8080;
    }
}